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Disclosed ate a system and a method employing a user's fingerprint to autheiUicate a wireless communication. The user's personal 
fingerprint is employed as the secret key in the context of a modified thaUenge-response** scenario. The system includes a fingerprint 
capture module on a mobile personal wireless communication device (e.g., a wifeless telephone) aitd a central sutfaenticaiion system coupled 
to a conventional mobile switching center. The central authentication system contains information that associates each mobile Identificatiwi 
number ("MIN*') with a pariicular user's fingerprint When a wireless communication is to be initiated, the central authentication system 
engages in a challenge-response authentication with the mobile switching station or the wireless phone using the stored fingerprint associated 
with the MIN through the common air interface. The correct response from the mobile station will only be generated when the user's 
fingerprint entered through the fingerprint capture module attached to the mobile station matches the information sent from the central 
authentication system, and only calls placed from authorized users arc connected. 
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METHOD Ol' USTNC FINGERPRINTS TO AUTHENTICATF: WTRF.T.R^q 

COtvrMUNICATTONS 

5 

Cross Reference to Rclntcd Apniichtions 

This applicalion claims priority from (1) US Provisional Palcnt Applicalion No. 
60/025.947 nicd September 11. 1996. cniitlcd METHOD OF USING FINGERPRINTS 
TO ELIMINATE WIRELESS PHONE FRAUD AND TO ASCERTAIN A CALLER'S 
10 IDENTITY' and naming Y. Li, D. R. K. Rao. and S. Subbiali as inventors, and (2) US 
Provisional Patent Applicalion No. 60/025.949, filed September II. 1996, entitled 
EiMBEDDABUH MODULE FOR FINGERPRINT CAPTURE AND MATCHING, and 
naming R- Rao, S. SubbiaJi. V. Li, and D. Chu as invcniors. Both of these applications 
arc incorporated herein by reference in their entireties and for all purposes. 

15 

Backcround of the Invention 

Tlic prcsent invention relates to security measures for wireless telephones or cellular 
mobile phones. More particularly, the invention relates to authentication methods 
employing biomciric information (e.g., fingcrprinis) to guarantee non -fraudulent use of 
20 wireless telephones or cellular mobile phones. 

As known in ilic state of the art. wireless tciepiioncs or cellular mobile phones arc 
identified by mobile identification numbers (MINs) and electronic serial numbers (ESNs). 
Current protocols for wireless communication, cither placing or receiving a call, requiix^ 
both the MIN and the ESN to be broadcast through a standard common air interface (CAI) 

25 between the wireless telephone and a mobile switching center (MSC) for authorization and 
billing purposes. However, such infonrtation can be easily intercepted and obtained via 
specialized scanning equipment Uial is readily available. MINs and ESNs captured this 
way can be illegally programmed into other cellular phones for the purpose of placing calls 
that will be billed to the person thai the MIN and ESN has been legitimately assigned to. 

30 Tliis type of ihefl has become a common practice world-wide, and millions of dollars arc 
lost to the wireless service providers and law enforcement agencies '(US $650 million in 
1995). 

Various methods have been proposed to solve this problem. One mcUiod 
(described in U.S. Pat. No. 5,448,760) propo.se s the idea of requesting a personal 
35 identification number (PIN) each lime a call is placed. The PIN can be safely transmitted 
through a different channel. However, this inconveniences the u.scr and many users even 
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forget ihcti PINs. Anoihcr method (described in U.S. Pal. No. 5,420.908) proposes 
monitoring each cusion\cr's habit or calling pattern (also known as user profiles) and 
blocking any calls that do not fit the customer's previous calling pattern. However, such a 
method suffers from two problems: (1) Ihc calling pattern of a customer is difficult lo 
5 accurately pin point (any time the calling pallern changes a legitimate call might be blocked) 
and (2) it will not successfully block calls from phones that coniinuaily change the MIN- 
ESN pair that they employ. 

In another method (described in U.S. Pat. No. 5.420,903 issued lo Hodges and 
Rubcnstcin and incorporated herein by reference), a "challenge response" authentication 

10 scheme is proposed to solve fraudulent use in wireless communication. The proposed 
melliod includes a central arihenlicalion system serving several MSCs which store all 
MINs with associated .secret keys thai arc used lo generate the "challenge response" 
authentication. Having one central auihenlication system for several MSCs eliminates the 
need for cros.s-svsicm access between different MSCs However, for .security reasons -- 

15 e.g. power failure, compmcr hacker :u lacks, natural disasters -- there should be at least one 
additional mmote site that maintains a minor copy of ihq central aulhcnticaiion .system. 
Ideally backup communication between central authentication system and its mirror(s) . 
allow bo ill hot and cold backups lo dynamically manitain identical copies at all limes. All 
MSCs communicate wiih ihc central authentication platform through a .standard phone line. 

20 Tliis meiiiod also requires each wireless phone to have a device which contains special 
infonnation to generate a conrcl response lo a specific "challenge". Each lime tliat a user 
uses a cellular phone, the MIN and ESN are sent lo ihe MSC just as in the standard 
protocol used in wireless communication loday. Tlicn the MSC sends Ihc information 
through a secure public switched telephone network (PSTN) line to the central 

25 authentication platform. The central system then takes the secret key which is xssociatcd 
with the MIN and generates a challenge \yhich is sent lo the cellular phone through a 
different wireless lorward channel. Tlic cellular phone ihcn uses ils special ihtcnial module 
to generate a response lo the challenge which is then sent back to the MSC by wireless 
means and ihcn forwarded lo the centra! system via standard PSTN lines. Tlic central 

30 system then compares the cellular phone's response lo Ihe prc-calculatcd rcspon.se value il 
expects. If the response is correct ihc use is authorized. 

Such a .system has certain advantages and should improve security in wireless 
communication. Although no specific type of secret key was disclosed in ihc '908 patent, 
Ihc specified .secret keys - including a siring of special integers - suffer major drawbacks. 
35 First, computer systems arc always subject to in tmdcrs/h ackers. For example, just rcecnlly 
Ihcrc was the much celcbraicd case of Tsulomu Shimomura the network security expert and 
his attacker Kevin Mitnick the outlaw computer hacker (In Takedown by John Markoff and 
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T. Shimomui-a, Hyperion Prcus: USA 1095). In ihc case of a brcak-in or even a suspicion 
of a brcak-in. all stored secret keys arc rendered useless and all the keys need to be 
updated. Tills necessarily means that all the users have to visit their service provider in 
person and u]xJaLc their sccrct key. Second, if only one or a few keys arc stolen at any 
5 given lime, the system would not be able to detect the theft until die end of each billing 
. cycle (if even then). Third, the "challenge" is MrN-spccific, Ihcihicvcs who capture the 
MIN and ESN through the air interface can also capture the "challenge" and iLs "resiwnse" 
and attempt to crack the sccrct key. While some encryption metJiods like RSA can be made 
. very secure now, the powerful computers that can be cxpecicd to become widely available 

10 in the future may allow .secret keys to be cracked with the knowledge of multiple challenges 
and ihcir responses. Still furlhcr. with Ihc global computer connectivity, Internet viruses 
have become a major i.ssuc and almost every week there is a new virus that is released, 
particularly from loss developed countries. If the ccnua! authentication system gets infected 
and Ihc files tampered with, as before, all users have to return to ihcir service provider to 

15 have a new .secret key reissued. All these four scenarios arc quite likely to happen in pur 
age of high-tech criminals and cvcn-liighcr tech iccnagc pranksters. 

What is needed therefore, is an improved security system to protect again.si 
unauthorized use of wireless communications. The mctliod and associated sy.stcm should 
provide improved security ;)nd be easy to maintain. 

20 .• 

Siimmnrv of (he invention 

The current invention expands on the principles and protocols discussed above. 
The relevant extension involves using a token generated from biomctrie information, the 
user's personal fingcn^rini in particular, as (he sccrct key .in the context of a modified 
25 "challenge-response" scenario. As will be explained^ this virtually eliminates all of Uic 
drawbacks discussed above. Most generally; tlic invention involves the use of fingerprint 
matching to authenticate a call or other communication over a wireless communication 
network. Tlic matching may be employed at a central location on die network, at the 
personal wireless device, or botli. 

30 One aspect of ihc invention provides mcUiods of autJicnticaling calls to be itiadc 

over a communication system. Typically, both a wireless source (c.g,. a mobile telephone) 
and a centra) authentication node that may service numerous nodes participate in ihc 
methods — although each operates according to its own protocol. 
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An authentication mcihod implemented on the central authentication node may be 
characterized by the following sequence: (a) dclciTnining that die call lias been initiated from 
a source; (b) determining whether source Hngcrprint data provided from the source maichci; 
stored fingerprint data associated with the source; and (c) if the source fingerprint data 
5 matches the stored fingerprint data, allowing the call to be completed. Matching may 
involve separate nialchini; slcps :il both ihc source and the central authentication uodc. h 
may also involve decrypting a challenge, hi addition lo the above basic steps, the 
authentication node may request that the source frngcrprint data be provided fro in the 
source of the call. In the case of . a mobile telephone system, ihc call initiated from the 

10 source may be forwarded through any of a plurality of inobilc switching centers lo reach 
the central authentication node. That is, the central authentication node may serve niultipic 
switching centers. In a prcl erred embodiment, ihc central authentication node accesses the 
stored fingei print data from a database that associates particular users' accounts with their 
fingerprints. The fingciprint data (from tlie source or stored database) may be embedded in 

15 a token having a format making ii difficult to extract the fingerprint data. In one 
embodiment, that token fomiai may be an inter- minutiae di stance- vector-derived format 
such as one of the formats commonly employed in the art. 

In one siTccific embodiment, the method also involves (a) cnciypiing a challenge 
with the stored Hngerprint data lo produce an enci7plcd challenge; and (b) providing the 

20 cnc!7pted challenge to the source for (he purpose of decrypting by the source with the 
source fingerprint data. Tlie step of determining whether the source and stored fingerprint 
data match preferably involves (i) receiving a decrypted challenge from the source, which 
decrypted challenge had been decrypted with the source fingerprint data: and (ii) comparing 
the challenge with the decrypted challenge from the source. If the two match, then it is 

25 assumed that the stored and source fingerprints also match and the call is allowed to 
proceed. 

In a particularly preferred embodiment, the mcihod involves a funlicr security 
feature to avoid use of a stolen fingerprint token. Tliis technique operates on tlic 
assumption thai each lime an individual gives a fingerprint, the print is slightly different due 

30 to the flexibility of Uic finger skin, the angle at which the finger is pressed down, etc. 
Tlius. it is exceedingly rarc thai any two finger imprints from a given user will be identical. 
Recognizing this, the method may require the following: (a) determining whether the 
source fingerprint data is identical to one or more instances of sample fingerprint data 
previously received; and (b) if ttic source and any one of the instances of the sample 

35 fingerprint data are identical, preventing the call from being completed. 
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Aulhciuicaiion methods implcmcnied on a source such as a wireless telephone (as 
opposed lo the ccnlral authentication cciiler as described above) may be characterized as 
including the following steps: (a) transmitting a dialed number lo a switching center on the 
communication network; (b) receiving a user's fingerprint (possibly after a prompt); (c) 
5 generating source fingerprint data from the user's fingerprint: and (d) if tlie source 
fingerprint data matches stored frngciprint data associated with user, completing the call. 
Tlie source may itself detenu inc wlictlier the source fingerprint data matches the stored 
ringerprint data prior to completing the call. In the case of a wireless telephone, the method 
may also include traditional calling steps such as transmitting at least one of an MIN and an 
10 ESN lo the switching center. 

In conjunction with the encryption 'xchnique described above for the central 
authentication node, the source may pcrfprm the following steps: (i) receiving an encrypted 
challenge from the switching center: (ii) dcci^pting the encrypted challenge with the source 
fingerprint data lo produce ;t dccrj'picd challenge; and (iii) transmiuing the decrypted 
15 challenge lo the swiicliing ccnicr. .such that if the decrypted challenge is found to match an 
unencrypted challenge, .specifying ihai ihc source fingerprint data matches the stored 
fingciprinl data (allowing the call to proceed). 

A personal wireless communication device (e.g., a wireless iclcplione) suitable for 
use with the authentication methods of this invention may be characterized as including the 

20 following features: (a) a wireless communications interface for sending and receiving 
wireless communications; (b) a device for capiaring ihc user's fingerprint; and (c) a 
processing device (e.g., a CPU) capable of converting the user's fingerprint to source 
fingerprint data which can be transmitted. Preferably, ihe wireless device includes a casing 
and provided within that casing are both the device for capturing the user's fingcrprini and 

25 the processing device. 

The wireless communicaltons interface should be capable of sending Ihc source 
fingerprint data lo a remote locaiion. Preferably, it should be capable of sending and 
receiving fingerprint data over a data channel which operates at a different frequency fvom a 
communications channel which sends and receives the wireless communications. 

30 In one embodiment, the device for capturing the user's fingerprint includes: (i) a 

fingerprint capture surface on which the user can place his or her finger to produce an 
optical image of his or her fingerprint; (ii) an imager capable of generating an cleetronic 
image of the user's fingerprint (e.g., a CCD array or CMOS photodiodc/phoiogate array) ; 
and (iii) optics for directing the optical image of ihc user's fingerprint from the finger print 

35 capture surface lo the imager. In a preferred embodiment, the imager is a CMOS 
photodiodc/phoiogate array which is provided on an integrated circuit together with the 
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•proccssinu ocvicc. In an altcrniitivc embodiment, ihc device for capturing the user's 
fingerprint includes an imager which docs nor require optics. Examples of such "optics- 
free'* imagers include capacitor arrays or ultrasonic mechanisms formed on semiconductor 
substrates. 

5 The proccsNiiig device .should coiuaiii ihc logic and resources necessary for 

comparing the .source fingeiprint data with stored riiigcrprini data received from a rcniolc , 
location. Preferably, the processing device should also . be capable of decrypting a 
challenge received from ihc remote location. 

As notcd» the biometrtc "challenge-response" auUicnti cation scheme of this 
10 invention prcfci ably employs a central authentication platform serving several or all MSCs 
and wireless phones. In this manner, the. current invention .seeks to prevent fraudulently 
placed wireless calls using stolen MIN-ESN information. 

Another aspect of the invention provides a central auihcnlicaiion system or node 
connected to a communications network and capable of rendering wireless communications 

15 secure by processing bio me trie infoimalion from a user. Such central authentication 
systems may be characterized as including (a) a communications interface for sending and 
receiving data communications over the communications network; (b) a database inicrfacc 
for accessing a database containing stored Hngerprinl data associated with users of wireless 
communications devices; and (c) a processor capable of determining whether a wireless 

20 communication from a wireless communications device should be permitted based upon a 
match between a fingerprint taken from the wireless communications device and stored 
frngcrprint data associated the wireless communications device. 

Often the communications interface will be coupled to a public switched iclcphonc 
network such that the data communications arc directed lo one or more mobile switching 

25 centers on the network. The database - which may fonn part of the central authentication 
system " preferably includes, for at least some of the wireless communications devices, a 
plurality of received tokens containing information from fmgcrprints taken at the wireless 
communications devices. Tlic system then compares newly received tokens from a given 
wireless communication device with the plurality of tokens for that wireless 

30 communications device. 

Tlicsc and other features and advantages of the present invention will be further 
described below with reference to the associated drawings. 
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Uricf Ocscriplion of the OrinvinL's 

Figure I is a block diagiam of various componciiii; of the present invention as it may be 
employed in a cellular phono system. 

Figure 2 is a representation of a MIN-chalicngc key database table used to store tokens 
5 from biomclric information in accoixinncc with one preferred embodiment of this invention. 

Figures 3A and 3B together present a process flow diagram depicting a sequence of 
events in a challenge-response authentication method of the present invention. 

Figure 4 is a block diagram depicting basic components of a fingerprint capturing unit 
and an associated wireless telephone in accordance with a preferred embodiment of the present 
!0 invention. 

Figure 5 is a flow diagram depicting a fingerprint matching technique that inay be 
employed with the present invention. 

Figure 6 is a block diagram of a central authentication system for processing btomctric 
infonnation from a mobile telephone in accordance with one embodiment of the picscnt 
15 invention. 



Detailed , Description of the Preferred fsmbodimcnls 

The present invention is described herein in terms of a wireless telephone system. 
The invention is not so limited. For all purposes of this current invention, the tenn 

20 "wireless iclcphonc"' (or "wirclcss cotnmunicalion system") gcnericaily will be understood 
to include cellular phones, personal communication systems, telephones, personal digital 
assistants, wireless personal computers, wireless notebooks, etc. using analogue or digital 
electronics technology. While the present invention is currently envisioned as providing 
substantial benefit to wireless communications, there is in principle no reason why it couid 

23 not be applied to communications generally. Any communication that could benefit froin 
autlienticaticn may be implemented with the present invention. $\ich communications 
include those made over a wirc-b;used telephone system and employing an account code. 

Tlic communications allowed over the communication system will sometimes be 
referred to herein as "calls." Examples of communications (calls) within the context of this 
30 invention include (a) analog transmissions such as telephone calls transmitting analog voice 
data over a wire medium or a wireless medium and (b) digital transmissions such as 
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packctizcd messages over a nciwork (LAN. WAN. Inicrnct. etc.) and digiiai voice data 
over a wireless medium. Communications involving packciizcd transmissions may be 
conncciion-bascd .transmissions such as TCP or conncciionlcss transmissions such as 
UDP. 

5 Fingerprint icclinology including hardware image capture, software image 

processing, soil ware/hard ware lor Cingcrprint data storage and software for fingerprint 
analysis/comparison is u relatively mature technology with over 20 years of development 
(sec. for example, U.S. Pal. Nos. 2 952 ISl. 4 151 512. 4 322 163, 4 537 4S4. 4 747 
147, 5 467 403, each of which is incorporated herein by reference for all purposes). It ts 

10 well-known that no two individuals possess the same identical fingerprint and that accurate 
matching icchniqucs in conjunction with well-eapmrcd images can positively identify an 
individual. The term "fingerprint" as used herein refers to handprints, palmprints, and 
other unique skin patterns in additioii to iradiliona! Hngcrpiinls. 

The present invention may employ sophisticated hardware and software to allow 
15 rapid nngcrprini ba.scd identification as described in U.S. Provisional Application No. 
60/025,949. filed on September I 1 . 1996. naming R. Rao, S. Subbiah, Y. Li &. D. Chu as 
inventors, and previously incorporated by reference. That application describes, an 
cxtrcmcly small, tow- cost fingerprint capture hardware modulo that lends itself lo ready 
inscrtioit into many devices. The referenced Provisional Application was incorporated 
20 herein by reference for iil) purposes and is illustrative of I lie nialurity of the fingerprint 
capture and comparison technology. 

FIG. 1 shows an apparatus tiiat may be used to process a wireless call in 
accordance with the principles oi" the current invention. A fingerprint capturing device 
("FCPD'*) 101 (such as that described in U.S. Provisional AppUcauon No. 60/025,949. 
25 previously incorporated by reference) wiUi an on -board CPU for processing and 
comparison of tlic captured nngci-print image (sec FIG. 4) is connected to tlic wireless 
telephone 102. This connection may be by any method, i.e. via a iclcphonc modem or a 
data pon specifically built-in to the wireless telephone 102, an acoustic coupler, or the 
direct incorporation of the fingerprint module 101 into the wireless telephone 102. 
30 Preferably, the module 101 can be incorporated within telephone 102 such that a standard 
mobile telephone casing may house all electronics for operation of the telephone and 
fingerprint processing. In an especially preferred embodiment, the electronics for 
processing both the nngcrprinis and the telephone calls arc provided on a single integrated 
circuit chip. Ttiis makes ii especially difficult to tamper with the system by. for example, 
35 intercepting signals between fingerprint capturing module 101 and telephone 102. 



1 



wo 98/11750 




PCT/US97/16094 



ill one cmbodiiucni oC Ihc invcmion which employs a protocol simiiar lo ihat ol' 
conveniionai wiicicss systems, each phone is provided with a MIN and ESN. VVhcti the 
user dials a iclcphonc number using a keypad 1 12 on the wireless telephone 102, the MIN. 
ESN, and the number of the parly being called is" transmitted to a Mobile Switching Center 
5 (MSC) 103 of a wircless carrier 104, In response, MSC 103 performs the standard 
verilieation oC Ihc MIN ;nut ESN as well-known in ihc ;ul (sec Cor example. In Wireless 
Communications, by T. S. Rappapoa. 1996, Prenticc-Mull which is incorporated herein bv 
reference for all purposes). If die MIN arid ESN belong to a special group of users who 
have previously requested the additional layer of fingerprint based sccuriiy with liicir 
10 service, the MIN and ESN arc sent lo a Central Authentication System (CAS) 106 via a 
public switched telephone network (PSTN) or internet 105 to avoid direct access of CAS 
106 through the air interface; This provides additional security for the CAS. 

In response to the MIN being forwarded by MSC 103. CAS 106 looks up its built- 
in MIN-Challcnge Key Database (MCICD) 107 and retrieves an appropriate Challenge Key 

15 (CK 202. FIG. 2) that i.s associated with that particular MIN. The CIC 202 is a token that 
has been derived from the user's fingerprint when ihe user first registered the purchase of 
his/licr phone service. The CK 202 is then used lo cncrv'pi a •'cliallengc" that is generated 
by the CAS 106. Tlic challenge that is formulated by the CAS 106 is different each lime 
when it is accessed by ihc .same or different users. Tlic CK 202 and the encrypted 

20 challenge arc then jointly sent lo wireless telephone 102 tlirough any available forward 
voice channel (FVC) or forward control channel (FCC) for example. 

After reception of the challenge from CAS 106 by wireless telephone 102. the 
challenge is forwarded lo FCPD 101 as detailed in FIG. 4. The user's lingciphnt 
information could have been requested by FCPD 101 citlicr before ihis point and alter ihe 

25 uscrcnlcrcd the number of ihc called party, or at this lime point itself. A token, which in 
one embodiment could simply be an encoded collcciion of a sci of unique minutiac/fcalurcs 
found in the fingerprint, is ihcn generated based on the fingerprint informalion captured 
locally by FCPD lOI. As well-known in the art of fingerprint matching, a fingcrprini from 
. any uidividual is unique lo that individual and ilicreforc the varicly of slightly different 

30 tokens (tokens can differ by a feature or iwo without any loss in uniqueness^ that can be 
generated can only come from that individual. This is then compared with fingcrprini- 
bascd token CK 202 that was leceivcd from CAS 106. If ihcrc is a match of the tokens. 
Ihc encrypted message is decrypted by using token CK 202 received from CAS 106. hi 
other embodiments, either or both tokens could be used to decrypt the challcncc. .V 

35 response (the decrypted challenge) is then sent back to MSC 103 through any of the 
available reverse voice channels (RVCs) or reverse control channels (RCCs). This is then 



wo 98/11750 



PCTrtJS97/16094 



rorwiu'dcd vhx PSTN or Inicmcl 105 (for iidditiona) security one may It mi I use of tlic 
common air inicrCacc as much as possible) back lo GAS 106. 

The response fioni PCPD 101 to CAS 106 contains both the decrypted message 
ajid a token that is generated from the fingerprint image the user supplied. If (I) the 

5 received decrypted message matches the expected response (i-c, the original uncnci7picd 
challenge that had been temporarily stored in CAS 106, as detailed in FIG. 6) and (2) the 
token received from die FCPD 101 matches the CK 202 in ihc MCKD 107. the call h 
authorized and connected. Tliis double matching method will reduce false positives. It will 
also prevent any illegal attempt that i-cltcs only on a decryption of just the encoded 

10 challenge. 

It is important to note that lokcn.s generated from the satnc finger vary every lime 
the fingerprint is captured. In a prefciTcd embodiment, if the token sent from FCPD 101 
^via wireless telephone li)2) is identical lo that in the database (CK 202) the call will not be 
authorized, since it is extremely unlikely that tl;c exact same token will be generated in 

15 subsequent image capture of the same finger. Presumably, such exact token matching will 
only happen if the token had been illegally captured and is being used for illegal access into 
the phone network. In this embodiment, the database may store up to a prc-specificd 
number of tokens sent by user from wireless telephone 102. If the most current token sent 
from the user is identical to any token from this list, the call is also blocked, since this may 

20 indicate the interception of a particular token sent from user to CAS 106 and used illegally. 
Tills is a major advantage of llic current invention since the token CK 202 used for 
encryption (In other words the secret key that is central lo all 'challenge- response' 
authentication methods) can itself be broadcast over tlic common air interface or even n^ade 
public. Til us the secret aspect of .*;ystcm described in the above- referenced Hodges and 

25 Rubcnstcin patent may be avoided in one embodiment. To reiterate, by blocking exact 
matches between a newly generated token and a stored lokcn (one embodimciu of ihis 
invention), tlic illegal capture of ihc token- CK 202 docs not enable third-parties to 
fraudulently initiate culls. This Is a clear and substantial advantage over the prior art, and 
derives from the fact that personal biomeiric information is being used to generate secnci 

50 keys. 

A further advantage is the token's resistance to corruption due to wireless noise. In 
one embodiment, a loss of a few features of the minutiae set from the token will still leave 
sufficient uncorruptcd features lo allow unique matching against another token derived 
from the snmc finger. One could therefore expect a "fuzzy" (non-deterministic) set of 
35 minutiae, that will give unique matching. Another advantage of the current invention, 
derives from the fact that the CK 202 tokens can be made public with no ill effcei.s. Thus if 
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the daiabiisc jVICKD 1 07 is stolen or attacked by computer hackers and viruses, us long as a 
backup copy of the database MCKD 107 exists at a remote and secure mirror-sile, there is 
no lasting negative consequence (.so long as exact matches with prior stored tokens requirc- 
ihal a call be blocked). 

5, FIG. 2 shows a typical stmciurc for the MIN-Challcnge Key Database 107 

("MCKJD") in accordance with one embodiment of this invention. A CK 202 is stored in 
association with each MIN 201. Additional instructions or restrictions on the use of each 
MIN 201 can be stored in a special instruction .section (SIS) 203. These may include, for 
example, blocks on long distance calls to certain localities, restrictions on calls over a , 

10 certain dollar amount, etc. In addition. MCICD 107 iticludcs a column 204 for storing 
recently rcccivcd tokens from FCPD 101. Anytime that a received token exactly matches 
one of the tokens stored in column 204, the call may be blocked. 

The CK 202 is a token that is generated from the Inigcrprint that ti)c user hiitially 
provided when regislciing with the phone company. This token contains information 
15 pertinent to the Ungciprint minutiae information that has been embedded so as to ensure that 
if stolen it would not lead to a loss of the original fingciprini itself. 

Since fingciprini images vary slightly from print to print, such tokens from the 
same finger at repeated times will be different. Also, depending upon the format of 
fingerprint minutiae in the tokens, two separately generated tokens of the same print will 

20 not from the outside appear similar - only when fingerprint matching algorithms for 
comparison aic applied to both tokens generated from different impressions of the same 
finger can both tokens be deemed to be from the same fingeiprnn. Tlius simple possession 
of a token from a given fingerprint will not enable anyone to generate oihcr different tokens 
corresponding to a different fingciprini impression from the same finger. This renders the 

25 method very robust and tamper proof. 

Token matching first requires extraction of the fingerprint minutiae from the token. 
Tlicsc arc then compared by mulching their two-dimensional coordinates. If the 
coordinates match to within a defined lolcruncc, the tokens arc deemed a mutch. As 
explained below, tokens may be provided with a timcstamp as an extra security measure. 

30 As known in ihc stale of the art, many fingerprint niatching schemes involve tlic 

generation of inter- minutiae- based keys (i.e. distance vectors, ciCi) lliat while being generally 
similar, will vary between multiple impressions of the same finger. Various intcr-minutiae 
disiancc-vcctor-dcrivcd formats arc known in the art. Many of these (as well as variations on 
ihcm) may be suitable for generating keys in accordance with this invention. Sucli keys may, 

35 of course, also serve as tokens such as CK 202 in this invention. Suitable matching schemes 
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arc described in, rorcxatnplc. US Patent No. 4.747,147 issued to Sparrow on May 24, I98S, 
US Pjlcin No. 5.493,62! issued to Malsumura on February 20. 1996, and iiiformaiion 
provided at the World Wide Web siic www. Lucent. Com/Prcss/0597/minu I .GAF. Each of 
ihesc documents is incorporated herein by reference for all purposes. A typical description of a 

5 processed fingerprint is a list of x, y and angle tabulation of each minulia. Minor modificalion 
to these linear values (e.g., addini; slight random displacements) will btill rcHcci the same 
underlying fingerprint, allowing for variation during multiple imprcs.sions (e.g., .slight 
distortions and rol ling during Uic pressing of the finger). Thus, using straightforward minutiae 
tabulations a-s tokens is su.sccpliblc to minor modification that could result in illegal . phone 

)0 access. 

A different and frequently used description of fingei*print information is the inlcr- 
minuliac distance vector information. Such descriptions arc inherently non-linear in nature and 
so when tabulations of these arc randomly or sysicmaiically modified fi.e. without explicit 
knowledge of llie inherent non-linearity) in minor and linear ways, the new modified tabulation 
IS will not, in general, rcncct the underlying original fingerprint, even when allowing for 
. variation between multiple impressions of the same fingerprint. 

Thus, use of such inter-minutiae distance-vector-derived keys (tokens) for matching 
purposes will foil wireless fraudsters who may somehow illegally capture the transmitted 
and encrypted fingerprint information and try to use the exact same keys to fraud ill cm I y . 

20 activate phone calls. Tliat is, "in general legal phone use, one expects the transmitted 
fingcrprini keys to be somewhat different each time, and differcm in a way that makes 
sense with respect to the fingerprint. In illegai use. where the encrypted keys arc captured, 
decrypted and rc- transmit ted. the repeated use of a set of exact sainc identical keys can be 
readily detected. Any minor niodiftcalion of the keys, without specific prior knowledge of 

25 non-linear relationships in order to be true has to be compatible with the true fingeiprinl and 
thus leading to the detection of such fraudulent use. 

The advantages of using a central authentication platform and a "challcngc- 
i-esponsc" aulhcnli cation method arc described in U.S. Patent No. 5.420,908 described 
above. However, the "challenge-response" authentication suggested in thai patent differs 

30 significantly from the current invention in at least two ways: First, the patent suggests a 
shared secret key (S-kcy) bctwccu the wire less phone and the central authentication system. 
Til is necessarily requires a specialized memory chip that can store the S-kcy to be part of 
the wireless phone itself. Therefore, in the event that the wireless phono is lost or stolen, 
illegal calls can be made from Uic phone unless special instructions to block such newly 

35 illegal calls have been sent to tlic central authentication system. Tlic current invention, in 
contrast, relies on information that is stored at the user's fingertips itself, and therefore 
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docs not require the wirclcs.s phone unit iuelf to store any secret key/information. 
Consequently, u .stolen or lost phone cannot be used illegally. Second, the challenge- 
response method described in the '908 patent docs not transmit the S-key itself over tlx air 
interface. The present invention may allow transmission of the "secret" key through the air 
interface; because the present challenge-response authentication scheme is not dependent on 
the "secret" key per sc. In a preferred embodiment, however, the key (CK 202) is kepi 
secret by some acceptable technique such as sending tiie challenge and response over 
variable channels unrelated to the voice transmission and/or providing additional encryption 
of the keys themselves. 

By using personal biomciric information, like fingerprints, the present invciiiion 
may overcome the major drawbacks of the generic "challenge-response" autheniicaiion 
schemes as typified by the *908 patent method. 

FIGS. 3 A and 3B present a flow chaa of one typical sequence of events in a 
"challenge-response" authentication of this invention. The user begins the process at a step 

15 300 by dialing a telephone number using the keypad 1 12 of the wireless telephone 102. 
TI:e MIN, ESN. and the phone number of the party being called arc transmitted to MSG 
103 at a step 301. At a branch point 302. a.s in a convcnnonal sy.sicm. MSC 103 either 
conllrms the legitimacy of the MIN-ESN pair and goes to a next step 303, or blocks die call 
at a step 3 15. At a branchpoint 303, the MSG determines if the user of the MIN requested 

20 additional security: If the result is NO. the call is connected just as routinely done in a 
conventional system at a step 316. If the result is YES, the MIN is sent to the CAS 106 at 
a step 304. 

In a step 305. CAS 106 accesses MCKD 107 and requests token CK 202 ihat is 
associated with Uie MIN. CAS 106 then generates a challenge thai is different each lime. 
25 Tliis is then encrypted with the token 202 in a step 306. TIic CAS 106 sends token CK 
202 and Ihc encrypted challcjigc lo ihc wireless telephone via a step 307 using PSTN or 
Internet 105. Additional layers of security can be added lo ihc encrypted challenge and CK 
202 if so desired. For example, Uie encrypted challenge can be sent to the mobile wireless 
phone over a different wireless forward channel. 

30 III a step 308, ilic user gives his^cr fingerprint to the FCPD 101 and this is used to 

generate token. In certain variations^ step 308 can be performed at any point after step 30 1 
and mc ficncralcd token stored in a memory 404 (FIG. 4). After the encrypted challenge 
has been sent lo phone 102 and a token has been generated from the user's fingeiprim. 
FCPD 101 compares the generated token with Uic token it received from the CAS 106 at a 

35 conditional branch point 309. If they do not match, the call is blocked at a step 3 15. In 
one embodimcnu whenever a call is blocked the token sent by FCPD JOI of the ealicr's 
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ringcpnni caa be lorwardcd via MSG 103 through CAS 106 and specially stored for kucr 
criminal investigation of fraudulent phone use (step 318), If they match, the token received 
from CAS 106. or in other cmbodimcnis both tokens (including the one generated at the 
phone), is used to decrypt the challenge sent fronn CAS 106 in a step 310 (begin FIG. 3B). 
Tlie FCPD iOI then sends both the now-dccryplcd challenge and the locally generated 
token (froiTi the uscr'.s fingerprinl captured on FCPD 101) back lo CAS 106 by way of 
MSC 1 03 via a step 311. 

Generally, the invention's direct mapping of individuals personally to the phone 
calls they make also aWows the mapping of callers who attempt unsuccessful break-ins into 
the wireless phone system. Permanent records of the tokens generated from tlic 
fmgcrprints of callers attempting illegal entry can be kept, if desired, for further criminal 
investigation. More imporianily. the mere idea of the potential of being caught when 
illegally using someone else's phone may greatly reduce phone fraud. 

After receiving the decrypted chalicncc from FCPD 101. CAS 106 compares it with 
15 the challenge stored in ;i CAS tcmpora.7 memory 607 (FIG. 6) at a conditional branch 
point 312. If the match i.s not successful the result from step 312 is NO and the call is 
blocked at a step 315 and then step 3 1 3 may be permitted if so desired. If there i.s a match 
the result is YES and the process moves on to a conditional step 313. At this step, CAS 
106 compares the token generated from the user's fingerprint captured and sent by FCPD 
20 101 to one or more stored in its daiab;i,^e 107 at column 202. If these tokens do not match, 
the call is blocked, again at step 315 and step 318 is optionally performed. This second 
matching of the tokens (note that they were initially compared at step 309) is provided for 
additional security and may be dispensed with ifdcsii-cd. 

Next, at an optional decision step 320. CAS 106 compares the token received from 
25 FCPD 101 with one or more stored tokens which were previously rcceived from FCPD 
101 and CK 202. These previously received tokens are preferably those stored in column 
204 of database tabic 107. If it is found that the most recently received token exactly 
matches one of the tokens stored in columns 202 and 204 of database 107. ihc c;Ul is 
blocked at .step 315 (and .step 318 is optionally i^crfonTied). As noted above, tokens are 
30 generally not identical if they capture a nngcrprint with sufficient resolution because each 
fingerprint from a given individual will vary slightly (e.g., the minutiae may be .slightly 
offset from one another). To ensure auUienlication in the case where a given individual 
actually docs give two identical legitimate tokens, the system may only block the call if two 
or more successive tokens exactly match one or more of Uic stored tokens. 

tokens match at step 313 but not identically (optional step 320). the call is 
authenticated for connection at a step 314. Thereafter, at a step 3 1 6. the process returns to 
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ihc routine prcsciH-day calling protocol lo complcic Lhc connccUon, If needed, allowance 
for failed authcniicalion due lo severe token corruption from wireless noise etc., can be 
made by having ihc protocol automatically re-try the eniirc procedure at step 304. TIic 
cnlirc process exits at a step 317 and ends the Illustrated flow-diagram. 

5 In a further preferred embodiment, the format of the embedded fingciprinl minutiae 

contains a timcslaiiip specifying the time at which the user's fingerprint w;is taken. Tlie 
CAS would then deny access if the limestamp was not from an appropriate window in time 
(chosen lo allow ("or a reasonable delay between transmission of the challenge and receipt 
of the newly generated fingerprint token). If a pci-son should intercept the u.ser's 

10 Trngerprint token, not only would he/she have to extract the fingerprint minutiae, but he/she 
Would also have to properly update the limestamp in order defeat the system. In some 
embodiments, the CAS only checks for limestamp, raUicr than examining the newly 
received token for an exact match lo some multiple previously irceived tokens. 

FIG. 4 is a diagram presenting one embodiment of the FCPD 101 and its 
15 interconnection with the wireless telephone 102 (FIG. I). The illustrated FCPD 101 
contains a fingerprint imager 417 for convening a fingerprijit from a finger 415 into an a 
. fingerprint image. FCPD 101 also includes a CPU (central processing unit) 401 that can 
.supply ail the computational needs of ihe "chalienge-responsc" auUiemication process, and 
more importantly all necessary processing of fingerprint images and their subscciuenl 
20 comparison. An interface port 402 and a data bus line 403 arc together capable of handling 
all liic communications between "various parts of FCPD 101 and wireless telephone 102. 
Tflis includes all types of serial interfaces and voice channels for transmitting and receiving 
data. A memory module 404 stores at least those items necessary to the operation of FCPD 
lOl including: I) a software program 405 which contains program codes for fingerprint 
:5 image processing, matching, decryption of the challenge, and the generation of responses; 
and 2) a response storage unit 406 which temporarily siorcs the response before sending it 
to the CAS 106. - 

CPU 401 can be any suitable integrated circuit or electronic design including 
muUichip modules and circuitry formed on printed circuit boards. If it is an integrated 
30 circuit, it may a general purpose microprocessor, a logic device such as an application 
.^ipceific integrated circuit (ASIC), etc. Examples of suitable ASICs include gate arrays, 
simple and complex programmable logic devices (PLDs), digital signal processors (DSPs), 
and field programmable gate arrays (FPG As). 

In one embodiment, fingerprint imager 417 includes a fingerprint capture surface 
35 such as. a window or capacitor array which produces an image of the user's fingerprint 
when the user places his or her finger thereon. In addition, imager 417 includes the optics 
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ncccss:»ry dirccl :ni optical image oT ihc lingcrprlru onto a solid siatc imager whidi also 
forms pari of fingciprim imager. The solid slaic imager, which is prcl'crabiy a CCD array 
or a CMOS phoiodiodc/phoiogaie array, generates an electronic image of the user's 
fingcrprinl- If the solid stale imager is a CMOS pholodiodc/photogalc array, il may be 

5 provided on single integrated circuit logclher with processing logic such as CPU 401. 
Purlhcr details of suitable optical nngcrprim imagers arc provided in U.S. Provisional 
Application No. 60/025,949. "Embcddablc Module for Fingerprint Capture and Matching," 
nicd on September 11, 1996, and naming R. Rao, S. Subbiah, Y. U &. D. Chu as 
inventors. In an allcrnativc embodiment, imager 417 may be a capacitor array formed on a 

10 semiconductor substrate such as that described in ihc May 22, 1997 edition of the San 
Francisco Chronicle, "New Chip Verifies Fingerprints" which pertains to a product of 
Vcridicom Corporation. In another alternative embodiment, imager 417 may be an 
ultrasonic mechanism formed on semiconductor substrates. 

Il is impoilant to note here an advantage over the "challenge-response" 
15 authentication method pi'cscnlcd in U.S. Pat. No. 5,420,908 (referred to as the Sccrci- 
Key). In the present invention, "key" need not be persi.stenlly stored in the FCPD lOl 
module. Therefore the wti'clcss telephone cannot be u.scd by any other user even when it is 
lost or .stolen. 

In a preferred embodiment, telephone 102 is a conventional wireless telephone. It 
communicate.*; with FCPD 1 01 over a connection line 407 which may be a paraUel or serial 
connection. Telephone 102 may contain a key pad 411, all necessary telecommunication 
funeiions 413 (including a stored MIN and provisions for generating a dialed number from 
key pad inputs), data bus lines 412, and an interface port 410 for communicaiing with 
FCPD 101 (over connection line 407) and with wireless stations such as an MSC. It is 
important to note thai inlcrfacc port 410 should be capable of interfacing not only voice 
communication .signals (for standard mobile phone operation), but other communication for 
control between the CAS 106 and the FCPD 101 lo complete the "challenge-response" 
authciuicalion. In a prefcnicd embodiment, interface port 410 is capable of sending and 
receiving nngcrprinl data over a data channel which operates at a dirfcrcnt frequency from a 
communications channel which sends and receives the wireless communications (e.g.. 
voice data). 

Preferably, FCPD 101 is inlcgrulcd directly within the casing of a conventional 
wireless telephone or other communication source. Tlic only distinction being the presence 
of a fingerprint capture window on the side of the telephone and accessing imager 417. In 
35 an especially preferred embodiment, a single integrated circuit provides most of Uic 
functions of FCPD 101 and telephone 102. These functions include, for example, CPU 
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401, incmoi7 404. :ind Iclccom lunctions 413. As functions from boiii FCPD 101 and 
telephone 102 ;irc provided on ihc same chip, inierfacc port 402 and conncetion line 407 arc 
not required. A modified version of interface port 410 having only the functioualiiy 
necessary lo communicate with other wireless stations (not FCPD 101) may be employed 
5 on the integrated circuit. This single chip embodiment has the advantage an extra layer of 
.security as thieves will be unable lo directly monitor signals crossing connection line 407. 

If fingerprint imager 417 is a CMOS imager, it may integrated with other 
components on ihc integrated circuit. If imagcr4I7 is a CCD array, it typically will have to 
be provided on a separate chip. 

10 Suitable design parameters of FCPD 101 can be specified based upon the general 

requirements of fingerprint analysis and matching algorithms. A typical human fingerprint 
has an aspect ratio of about three to two; that is, it is one-half times as long as it is wide. 
Tlic average fiiigcrpritu has aboui 50 ridge lines separated by intervening valley lines that 
are about equally as thick. Generally the lines run from left to right and as Ihcy do ihoy 

15 first traverse upwards and lai.cr downwards. Given this amount of information, the Federal 
Bureau of Investigation has suggested that fingerprint detection systems should provide an 
array of 512x512 pixels since it allows for at least four pixels per ridgclinc and four per 
valley line. Preferably, though not necessarily, ihc imager employed in the FCPD 101 
contains an array of at lca.st 512x512 pixels. Using sophisticated fingerprint imaging 

20 algorithms such as those described in the above- re fere need US Provisional Application 
60//025.949, significantly smaller arrays can be employed. In one embodiment, tlic airay 
may include 240x160 pixels or. in anther embodiment. 120x160 pixels. TIic use of such 
small arrays has the advantage of requiring (I) less processing jcsourccs from CPU 401 
and (2) less space from memory 404 during processing of a large array of fingerprint data. 

25 Accurate fingerprint matching technology, which is well-known in tlic art (sec. for 

example, U.S. Pat. No. 2 952 1 S 1 , 4 1 5 1 5 1 2. 4 322 1 63. 4 537 484, 4 747 1 47. 5 467 
403 which were previously incorporated by reference), has for over a hundred years relied 
on the cxtracUon and subsequent comparison of specialized fciiturcs called minutiae. 
Minutiae arc essentially of two equally frcqucni types - either the abrupt ending of a line in 

30 the middle of the fingerprint or the fusion of two lines lo create a Y-shaped junction. 
Typically there arc aboui 60 or 70 such features in a fingerprint and i (is the relative location 
of Uicsc from each other Uiat creates a unique spatial pattern that statistically no other human 
can possess. 

Suitable methods of fingerprint matching may involve software processing steps as 
35 illustrated in FIG. 5. After capturing the fingerprint image (step 501), a contrasting 
algorithm (step 503) reduces all the gray shades of a captured image 502 lo cither black (for 
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ridgcliiics) or while (for vLiUcy lines) as shown in image 504. Traditionally ihcsc 
algorithms arc omni-dircciional. Basically, the particular shade of gray at each pixel is 
compared 'wiih ihcsc of the neighboring pixels in all directions and if judged to be relatively 
darker than most of its neighbors it is deemed to be black, otherwise white. After ihis 

5 contrasting step, the contrasted image 504' is further processed by a thinning algorithm 
(slop 505). The object here i.s lo reduce the black, lines from being on average four pixels 
thick to only one pixel ihiuk, thereby inci'casing the number of white pixels substantially. 
A thinned image 506 is then examined by further algorithms (step 507) that aiicmpi to 
deduce and accurately extract the minutiae and their locations as shown in a map SOS. The 

10 process is then completed at 509. All further fingerprint iriatching/comparison often relics 
primarily on these 60 or 70 extracted pieces of information. 

Central authentication .system (CAS) 106 (^ preferably, though not necessarily, 
provided as a server or other node connected to one or more MSCs over a public switched 
telephone network. CAS 106 may aLso have wireless connection to an xMSC or may even 
15 forin a pan of the MSC. Generally, CAS 106 must be able to generate and compare 
chaUcnges. access a database of fingerprint based tokens, and communicate with a plurality 
of wireless sources (e.g.. mobile cellular telephones) via the one or more MSCs. 

FIG. 6 is a diagram of CAS 106 in accordance with one embodiment of this 
invention. The design is superncially similar to the FCPD 101 (and the design presented in 

20 U.S. Pat. No. 5.420,908). Connected lo CAS 106 arc PSTN 105 and MCKD 107. CAS 
106 must be able to handle. siniuJlancously, many calls from many wireless carriers. It 
includes a memory 605 including a persistently stored program 606 and various 
temporarily stored itenis including a challenge 607. a response lokcn 60S. and a decrypted 
message 609. Program 606 conianis the instructions for generating a challenge, enci^pting 

25 the challenge with a fingciprint based lokcn, validating a decrypted challenge (e.g., by 
comparison with Ihc generated challenge), Hngcrprinl maicliing based on tokens, and. in 
some cmbodimcnls, comparing a response token with one or more stored lokcns and 
further assuring Ural tokens arc not identical as ihal would imply illegal use. Response 
token 60S is a memory entity containing the token sent back from ilic FCPD 1 01. in the 

30 wireless telephone 102 before token matching is conducted. When a new lokcn is provided 
from FCPD, stored token is updated. 

In addition. CAS 106 includes a CPU 602 for controlling the execution of a 
program 606. accessing memory 605. communicating with the MSCs over the PSTN. 
Communication over the PSTN is provided through a data interface 601 in CAS 106 which 
35 is connected lo the PSTN over a line 105. hi addition, CAS 106 communicates with 
MCKD database 107 through a database interface 603 as shown. CPU 602, mcmoi^ 605. 
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database imcrracc 603, and daia inlcrfacc 601 arc communicalc with one another over a data 
bus 604. 

In a preferred embodiment, ihc initial registration ol" ihc phone-owner's ftngcrprini 
at the CAS 106 to create the appropriate entry into the MCKD 107 need not require the user 
5 to visit the central phone service provider. When the phone-owner purchases or rents ihc 
wireless phone at any local phone More he or she can use the FCPD 101 on the newly 
purchased wii-clcss telephone 102 itself to activate registry at the CAS 106 via tlic common 
air interface and MSC 103. The phone's ESN and MIN can be sent alone with ilie owner's 
fingciprini and placed in the CAS database for future use. 

10 In yet another embodiment of iheprcscni invention, multiple users can be permitted 

to use the sanie wireless phone. All that is required is that ihc MCKD 107 at the CAS 106 
be allowed to contain muUlpIc CKs 202, one generated from each user of the same phone. 
Such authorization can in principle be activated/initialed by the pho;ic owner scrvinc as a 
master user who can at any time reciuil additional users to be able to use their phone. Bv 

15 activating appropriate buttons on the phone, the master u.ser can. in principle activate the 
phone and the CAS 106 to receive a newly recruited user's fingerprint for a.ssociation with 
ihc master itscr'.s entry in the MCKD 107. The master u.ser can remotely authorise this 
action by simply validating it with his/her fingerprint. Again by engaging a pre-defined 
sequence of buttons on the phone the master user could also in principle remove previously 
20 audiorized co-users. 

In a Turther embodiment of the present invention, the phone owner could u.se more 
than one fingerprint as a means to authenticate his/licr identity. Tlie MCKD 107 can be 
arranged to contain information regarding more than one fingerprint of the owner. In fact, 
if additional password-like security beyond fingerprint security is desired, the owner can 
25 provide niuliiple fingerprints from different fingers in a particular secret oider. This can 
serve as a "password" known only to the owner. 

In one use of {he current invention, the traditional MINs and ESNs associated with 
wireless phones arc no longer required. The wireless telephone 102 will have an integrated 
FCPD 101. When a user dials a number, the number of the party being called and ihc 

30 token gcncraied from the fingcrpriniof the user on the FCPD 101 will be sent to llic MSC 
103 and then forwarded to the CAS 106 for authentication based only on the fingctprini 
token of the user for billing and authorization purposes. Because each fingerprint token 
generated from the same finger will be different, a token inicrccpicd froin the common air 
interface can not ciisily be used for fraudulent use of wireless telephones. If a particular 

35 token gcnci*atcd from a fingerprint is captured illegally from the air interface and 
subsequently used repeatedly to authorize illegal calls, this can be detected very easily by 
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the CAS 106 since ii would in normal circumstances expect somewhat different and varied 
tokens being generated froin the same fingerprint. Because such variations In the generated 
token arc intrinsic (o the way fingciprint infonnation is distributed on the finger itself, these 
variations cannot be gleaned from illegally capturing one token common from the common 

5 air interface. Tliat i.s. (okcn.s generated from the same fingeiprint at different impressions 
on the FCPD 101 will vary so ihal iiicicly having illegally cajilurcd one of ihcsc v;uiaiion.s 
will not cn;iblc Ihc gcncratii)n t>f vai icd loken.s ihal arc si ill meaiiingfiilly rclatcil u> ihc 
original fingerprint. The only thing thai can be done is to use the exact same illegally 
captured token lo make illegal calls, but that can be easily detected. Thus il is possible that 

10 the systems of this invention can allow any user lo use any wireless telephone to place 
calls. 

In another use of the current invention, the identity of the user can be authenticated 
for the purpose of identifying ihc caller's personal identity rather than merely the phone 
number from the caiicr initiated die call - i.e. the source terminal-ID. In one embodiment of 
15 the present invention, at step 319 (FIG. 3). the caller's personal identity as determined by 
the CAS 106 can be made available to the call control entity or the lecipicnt of the call. 
Based on the prior knowledge of who the caller is (and not just merely what phone number 
the caller is calling from) ihc call recipient rnay elect lo block the call even after it has been 
authenticated as being non-fraudulent at step 314. 

20 Tlic current invention also provides a method for the identification of the caller 

(caller ID) originating the phone call. In recent years, caller ID technology (where the 
phone number of the caller's phone is automatically revealed to ihc call control entity or the 
recipient of the phone call in a manner thai allows the recipicni to screen his or her calls) 
has become incrc;isingly commonplace. In effect. callcr-ID as praciiccd today is really 

25 Icrminal-ID (the ID of the caller's phone; and not really the personal identity of ihe caller, 
Willi Ihc present invention, wireless and traditional wired phones that have the built-in 
capacity lo capture/compare fingerprint information and communicate with an MSC for 
authorization can allow the caller lo be pcrsonaily identified (nilhcr than simply the caller's 
phone number ) lo the call control entity or the recipient for call screening or oihcr 

30 auUKnlication purposes. Indeed, both the callcr-ID and the terminal-ID can be jointly 
authcnlicalcd for an even higher level of security in photic network*;. 

As mentioned, the technology described herein may be employed in contexts oihcr 
than cellular telephone systems. For example, the invention may be employed lo ensure 
secure access to a vehicle with a wireless security system. Many automobiles now employ 
35 wireless systems to allow lemotc control of door locking, automotive alarm systems, 
lighting, elc. within the auiomobile. When the owner approaches his or her car, he or she 



20 



Wa98/I1750 V • - PCT/US97/16094 



can unlock Uic c:ir dooivs or aclivalc/iiiactivaic oihcr car systems before actual ly reaching ihc 
car. Tiiis is accomplished with the click of a button on a wireless control module. 
Unfortunately, if .such a module falls into the hands of a thief (or if the wireless signal is 
illegally captured" through the air and decoded), he may be able lo circumvent the car's 
5 security niechanism(s) and obtain control of the car. The present invention provides a 
mechanism to proicci against this possibility- 
Wireless car security systems of this invention may employ a wireless control 
module (source) containing the logic necessary for capturing and transmitting a token based 
upon a user's fingerprint. The logic may be contained within" a module as described above 
10 wiih reference to FCPD 101. Gencraily. ihc vehicle itself may provide most of the 
functionality described above with reference to CAS i06. Of course, it need not provide 
access to a PSTN or daiaba.se 107. I lowcvcr, it should inciudc a finger print token of the 
car operator and po.ssibly multiple recently received tokens so that access n1ay be blocked if 
the token exactly muLchcs a received token. 

'5 The vehicle protection mechanism of this invention may operate as follows. First, 

the system on board liic vehicle determines that a request for access to ilie vehicle has been 
initiated from a wireless source. Next, tiic vehicle system determines whether the source 
nngerprini data provided at the wirclcss source matches stored fingerprint data provided for 
the vehicle. Access to the vehicle is then permitted (e.g., car doors arc unlocked) if the 

20 source, fingerprint data matches the stored fingerprint data. In some embodiments, the 
wireless source may piompt its user for a flngcrprini from which lo generate the source 
fingerprint data- 
in especially preferred cmbodimenis. a full challenge-response protocol as 
described above with reference lo Figures 3 A and 3B is employed. Tl*,is may involve 

25 generating an encryplcU challenge from a challenge and a token based on die fingerprint 
data stored with the automobile. Then, the encrypted challenge and the stored fingerprint 
token arc sent lo the source where the stored and source fingerprints arc compared. If ihev 
niatch. one of the fingerprints, is used to decrypt the encrypted challenged. The now 
decrypted challenge and the source fingerprint data arc then sent back lo the aulomobilc 

30 where ihc decrypted challenge is confinncd and the source and stored fingciprinls arc again 
compared. If all tests arc passed, access to the automobile is permitted. 

While llic present invention has been described in terms of a preferred embodiment 
and certain vanation.s ihcrcof, the .scope should not be Itmiicd to the specifics piescnicd 
above. For example, while ihe system of ihis invention has been described as including a 
35 central authentication system .separated from a mobile switching center by a public switched 
telephone network, the invention may be implemented by providing the central 
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auihcnticalioii system wiihin Lhc mobile swiiching center. In this Oiso, it may be ncccssaiy 
to provide a iTieclianisni lor regularly updating the authentication system at each naobilc 
switching center. Furlhcr, the invention may be advantageously employed in systems lliat 
do not employ a secret key. importanlly. the invention may rely on btomelric information 
5 other than fingerprints. Examples of such alternative biomelric information include, but ai'c 
not limited to. n user's voice, personal information, phoiograph, hand shape, and retina. 

Many similar variations on the above-described preferred embodiment, may be 
employed. Therefore, the invention should be broadly interpreted with rcfcicnce lo the 
following claims. 

10 
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CLAIMS 

whfii is cfainir.d is: 

1 . A mcliiod for auilicmicating a cal) to be made over a communication system, 
5 ihc method comprising: 

(a) dcicrmiiiing that tiic call has been iniiiaicd Jrom a source; 
(h> dctcnninini; whether source lingerprint data provided (Vorn said source 
matches stored fingerprint data associated with said source: and 

. (c) if said source fingerprint data matches said stored fingerprint data. 
10 allowing said call to be completed. 

2. Tlie method of claim i. wherein the cominunicalion system forms at Icjist 
part of a wireless telephone network. 

15 3. The method of claim 2. wherein l)ic call initiated from the source may be 

forwarded through any of a pluriility of mobile switching centers. 

4. The method of claitn 2, wherein said source is a mobitc cellular telephone. 

20 5. Tlie method of claim 4, wherein determining that a caJl is being initiated 

includes detecting transmission of at least one of a mobile idcnlification number (MIN) and 
an electronic serial number (ESN) associated with the mobile cellular telephone. 

6. The method of claim 5 further comprising confirming that said at least one 
25 of the MIN and the ESN is valid. 

7. The method of claim I further comprising: 

requesting tliat said source fingerprint data be provided from the source of 

said call. 
30 ■ 

8. Tlic method of claim I, wherein said fingerprint data is provided in an inlcr- 
minutiac distance- vector-derived format. 

9. The method of claim I , further comprising: 

35 encrypting a challenge with the stored fingerprint data to produce an 

encrypted challenge; and 

providing the encrypted challenge to the source for the purpose of 
decrypting by the source with the source fingerprint data. 
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10. The niclhod of claim 9, wherein ihc siep of determining whether the source 
:incl slorcd fingerprint data match comprises: 

receiving a decrypted challenge from said .source, which decrypted 
5 challenge has been dcciyptcd with the source fingciprint data; and 

comparing the challenge with the decrypted challenge from the source. 

11. The method of claim I, further comprising: 

determining whether the source fingerprint data i.s identical to one or more 
10 instances of sample fingerprint data previously received; and 

if the source and any one of the instances of the sample fingerprint data arc 
identical, preventing (he call from being completed. 

12. The method of claim 1. where the fingciprint data is provided in a 
15 innestamp. 

13- A method for accessing a vehicle with a wireless security system, the 
mclhod comprising: 

(a) determining that a request for access lo the vehicle has been initiated 
20 from a wireless source; 

(b) detcnnining whether source fingerprint data provided at said wireless 
source matches stored fingerprint data provided for the vehicle; and 

(c) if said source fingerprint data matches said slorcd fingeiprint data, 
allowing access lo the vehicle. 

25 

14. Tlic mclhod of claim 13. further comprising prompimg a user of said 
wireless source for a fingerprint from which lo generate llie source fingerprint daia. 

15. The mclhod of claim 13, wherein the stored fingciprint data is stored in the 

30 vehicle. 

16. Tlic mclhod of claim 13, wherein the vehicle is a ear and allowing access lo 
the car comprises unlocking the car. 

35 17, A method for authenticating a call lo be made over a communication sysicm. 

the mcUiod comprising: 

(a) iransinttling a dialed number to a switching center on said 
communication network; 
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(b) receiving u user's ringerprint; 

(c) iicncrutini: source ringerprint daia from said user's rmgeiprini: and 

(dj ifihc source llngcipriiU daia maichcs stored fingeiprint daia associated 
wiih user, conipleiing ihc call. 

5 

1 S, Tiie mcUiod of claim !7. wherein the communicaiion system forms at least a 
part of a wireless telephone network. 

19. The method of claim IS. wherein (a) through (d) arc performed by i\ mobile 
10 cellular telephone. 

20. The method of claim 17, further comprising: 

transmitting at least one of a MIN and an ESN to said switching center. 

15 2 I - The method of claim 17. further comprising: 

prompting the u.scr to provide a fingerprint. 

22. The n)cthod of ciaiin 17, wherein generating source fingcrprini data 
provides the soui-cc fingerprint data in a format comprising inter- minutiae distancc-vector- 

20 derived information. 

23. The method of claim 17. further comprising: 

determining whether the source fingerprint data malelics the stored 
fingerprint data prior to completing the call. 

25 

24. The method of claim 23. wherein the stored fingerprint data is provided 
from a database on a public switched telephone network. 

25 . TIic method of claim J 1, further comprising: 

30 receiving an encrypted challenge from the switching center; 

decrypting the encrypted challenge with the source fingerprint data to 
produce a decrypted challenge; and 

transmitting .said decrypted challenge to the switching center, such that if tlic 
decrypted challenge is found lo match an unencrypted challenge, specifying Uiat the source 
35 fingerprint data matches the stored fingerprint data. 

26. Tlic mcliiod of claim 17, wherein generating source fingeiprint dau 
provides the source fingerprint data in a format comprising a limesiamp. 
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27. A wirciclis communication device capable of rendering wireless 
communications secure by requiring biomclric information from a user, the device 
, comprising: 

5 (a) a wireless communications interface for sending and receiving wireless 

communicaiions; 

(b) a device for capturing the user's fingerprint; and 

(c) a processing device capable of converting the user's fingerprint lo 
source fingerprint data which can be transmitted. 

10 

2S. The device of claim 27. wherein the device is a wireless telephone. 

29. ' The device of claim 2S. wherein the wireless telephone includes a casinc 
and provided within said casing arc the device for captiiring ihc user's fingcrnrini and the 

15 processing device. 

30. The device of claim 27. wherein the wireless communications interface is 
capable of sending !hc source fingerprint data to a remote location. 

20 31. The device of claim 30. wherein the wireless communicaiions interface is 

capable of sending and receiving fingerprint data over a data channel which operates at a 
different tVcqucncy from a communications channel which sends and receives the wireless 
communications. 

25 32. The device of claim 27. wherein the tlcvicc for capturing the u.scr's 

fingerprint includes: 

a fingerprint capture surface on which (he user can place his or her finger lo 
produce an optical image of ihc user's fingerprinu 

an imager capable of generating an electronic image of the user^s fingerprint; 

30 and 

optics for directing the optical image of the user's fmgcrprini from the finger 
print capture surface to the imager. 

33. TIic device of claim 32, wherein the imager is selected from ihe group 
35 eonsi.sting of CCD arrays and CMOS phoiodiodc/photogatc arrays. 

34. Tlic device of claim 33, wherein the imager is a CMOS 
phoiodiodc/photogatc array which is provided on an integrated circuit together with the 
processing device. 
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35. The device of claim 27, wherein ihc device for capturing ihc user's 
fingerprint is a capacitor array formed on a semiconductor substrate or an ultrasonic 
mcciianism formed on a semiconductor substrate. 

5 

36. The device of ciaim 27. wherein the processing device m a CPU. 

37. The device of claim 27, wherein the processing device is capable of 
comparing I lie source fingeiprint data wiih stored fingeiprini data received from a remote 

10 location, whereby when the source and stored fingerprint data are found to match, the 
device allows a comiTJunication to proceed. 

38. Tlic device of claim 37, wherein ihc processing device is capable of 
decrypting a challenge received from said remote locution. 

15 

39. /\ central auihcniication system connected lo a communications network and 
capable of ncndcring wireless communications secure by processing biometrie information 
from a user, the device comprising: 

(a) a conimuiiicaitons interface for .sending and receiving data 
20 communications over said communicaiions network; 

(b) a database interface for accessing a database containing, stored 
fingerprint data associated with users of wireless communications devices; and 

(c) a processor capable of dclcmiining whether a wireless communication 
from a wireless comitiunicaiions device should be permitted based upon a match between a 

25 fingerprint taken from said wireless communications device and stored fingcrpiint data 
associated the wireless communications device. 

40. TI)c central au then li cation system of claim 39. wherein the comnuinications 
interface is coupled lo a public switched telephone neUvork. 

30 

4 1 . Tlic central authentication system of claim 40, wherein Ihe data 
corhmunicaiions arc directed to one or more mobile switching centers. 

42. Tlic central auihcniication system of claim 39. wherein ihc database 
35 includes, for at least one of said wireless communicaiions devices, a plurality of received 

tokens containing information from fingerprints taken at said wireless communications 
device. 
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43. The ccnirul auihcniicaiion .system of claim 42, wherein ihc processor is 
capable ol" comparing a newly received token froin a given wireless communicaiion device 
with said plurality of lokcns for said given wireless communtcaiions device. 

5 44. The central aulhenticaiion sysienri of claim 39, wherein ihc processor is 

capable of generating an cnciypicd challenge by encrypting a challenge with a lokcn 
coniaining said stored linger print data. 

45, The central aulhcntication system of claim 39, further comprising a memory 
10 which persistently stores a program allowing the processor to determine whether wireless 

communications from the wireless communications devices should be permitted. 

46. Tlic central authentication system of claim 45, wherein the memory can 
store a chullrMgc and a decrypted challenge so that the processor can dclcrminc whether the 

15 ciiallcngc and the decrypted challenge match. 
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Telephone number of the rccipicnl of ttic caff, 
MIN. and ESN arc scnl lo MSG 103 
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lend MIN to Central Authcnlicalion System 
(CAS 106) from MSG 103 via PSTN 105 



Identify the token that Is associalcd wttli the MIN 
in ttic MtN-CIiallcngc Key Database (MCKD - 
107) alCAS 10G 
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TJic CAS IpG generates a ctialtcngc and 
encrypts tl witli Itie token CK 202. The prc- 
cncryptcd cli3ilcngc is stored locally ui CAG IOC 
Tor loiter use. 
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CAS 1 0G' sends Ulc encrypted dialtcngc and 
token lo the MSC 103 by PSTN 105. This is 
then (onrardcd to the wireless phone 102 via air 
Inlerfacc. 



3O& 



FCPD 101 requires the wireless piionc user to 
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generated from it. 
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token with the token (CK 202) received from 
CAS lOG for match. 
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Wireless phone 102 users the token Uom CAS 
IOC. (i.e. CK 202). lo decrypt Uic challenge 
received from CAS lOG. 



Ttic wireless (clcplionc 102 sends the decrypted 
cliallcntjc and the locally generated toKcn back 
lo Ihc CAS 10G via the MSG 103. 
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cliallcngc received from the v/ircless telephone 
102 witli its prc-cncryplcd clialicnQc that had 
been ilorcd temporarily (at step 306). 
Is there a match? 
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